1. Suhas Shravagi
  2. PowerBuilder
  3. Friday, 25 September 2020 09:15 AM UTC

 Hi, I have a desktop application developed in PB 2017 R3. It is connecting to the database (Sybase ASE 12.5) using the global transaction object SQLCA. To connect to the db, we are setting the trans object as:

SQLCA.Database = "MyDB"
SQLCA.Servername = "MyServer"
SQLCA.Logid = "DB_FID"
SQLCA.Logpass = "DB_PASS"
SQLCA.DBMS = "SYC"
SQLCA.Autocommit = TRUE
SQLCA.DbParm="EncryptPassword='True'"

CONNECT USING SQLCA;

This works perfectly fine for me. But the issue is, since this is a global object, it is being logged into the heap memory and a hacker can easily access this information (DB FID, DB Instance name) from the memory dump. The password is secure in this case, but other information is still accessible to the hacker. I tried by implementing local transaction object, and found that it is resolving the issue, but this is not a good (and feasible solution) as the application has almost 100+ screen where this SQLCA is used, in each screen we have to initialize, connect, and use local transaction object. Can there be any alternative (and offcourse feasible) solution to resolve this? Thanks!

Accepted Answer
Chris Pollach @Appeon Accepted Answer Pending Moderation
  1. Monday, 28 September 2020 17:52 PM UTC
  2. PowerBuilder
  3. # Permalink

Hi Olan;

   FYI: I worked on this over the weekend and added security to the base level ancestor (ns_sqlca_master) for all transaction objects in my STD Framework. Now every time the App connects OK to any DBMS and regardless if the TO is a Global, Instance or Locally instantiated object, the TO's sensitive data is automatically encrypted. This was easy to do as my frameworks have included the encryption mechanisms for over a decade now.

   I will upload this new framework code-line version to the OrderEntry Demo App's Beta Test area later today and it will appear in the PB2019 R2 beta area. The PB2019 R3 beta framework will also be updated with this new code-line as well later this week. Enjoy!

FYI: https://sourceforge.net/projects/stdfndclass/files/Applications/PowerBuilder/OrderEntry/Beta/

Regards ... Chris

Comment
  1. Roland Smith
  2. Monday, 28 September 2020 17:58 PM UTC
What happens if the app needs to disconnect and reconnect?
  1. Helpful
  1. Chris Pollach @Appeon
  2. Monday, 28 September 2020 20:44 PM UTC
Good question Roland!



I have also added the appropriate TO base ancestor method to allow the App to reconstitute the TO values for a either: a) A Connect / Disconnect operation (assuming that the App just doesn't want to go through the TO Init logic again before the next Connect).

- OR -

b) for cloning a TO connection using the GetTrans / SetTrans methods. ;-)
  1. Helpful
  1. Chris Pollach @Appeon
  2. Tuesday, 29 September 2020 19:00 PM UTC
Hi Everyone;

The "Beta" version of the framework with the above TO security is now on SF ... FYI: https://sourceforge.net/projects/stdfndclass/files/Applications/PowerBuilder/OrderEntry/Beta

Note1: This Framework Beta version is for PB 2019 R2 only.

Note2: I modified the approach last night to randomize the encryption by TO instance - for even a more secure memory resident TO. ;-)

Regards ... Chris

  1. Helpful
There are no comments made yet.
Miguel Leeuwe Accepted Answer Pending Moderation
  1. Friday, 25 September 2020 14:23 PM UTC
  2. PowerBuilder
  3. # 1

Not that my opinion answers your question, but:

I think that if "a hacker can do memory dumps on your machine" then  you're in big trouble on all kind of levels anyway.

You/your company should concentrate on trying to avoid that kind of access to your pc or network instead.

Of course this is just my humble opinion, not trying to be a wise guy or anything.

Good luck and regards,

MiguelL

Comment
  1. Miguel Leeuwe
  2. Friday, 25 September 2020 14:55 PM UTC
If you want a better explanation than the one I could give, just listen to this charming hacker girl:



https://www.youtube.com/watch?v=-8f8avZ2V7s (skip to minute 6:00 if in a hurry)

There's a lot more on "her" channel about security.
  1. Helpful 1
There are no comments made yet.
Chris Pollach @Appeon Accepted Answer Pending Moderation
  1. Friday, 25 September 2020 14:22 PM UTC
  2. PowerBuilder
  3. # 2

Hi Suhas;

   Just encrypt or clear the values in SQLCA after the Connect command.

Regards ... Chris

Comment
  1. Olan Knight
  2. Saturday, 26 September 2020 16:06 PM UTC
A simple and elegant solution! :)
  1. Helpful
  1. Chris Pollach @Appeon
  2. Saturday, 26 September 2020 21:35 PM UTC
I love the KISS principle! :-)
  1. Helpful
There are no comments made yet.
Armeen Mazda @Appeon Accepted Answer Pending Moderation
  1. Friday, 25 September 2020 14:04 PM UTC
  2. PowerBuilder
  3. # 3

Another solution is use PowerServer 2021 to convert your app.  We have enhanced this version of PowerServer to resolve the SQL issue you mentioned.  It is cloud-native architecture so the data access is automatically converted to execute on the server instead of the client.

Comment
  1. Andreas Mykonios
  2. Friday, 25 September 2020 14:26 PM UTC
Hi Armeen.

When we expect PowerServer 2021 to be available?

In the past there was a page showing prices for PowerServer... Now I cannot find it...

To deploy an application to the Cloud, we will have to use PowerBuilder 2021? Or this will be possible in a future release of PowerBuilder 2019?

Finally, PowerBuilder 2021 will rely on PowerServer to deploy Cloud applications? Those who have PowerBuilder CloudPro will have to buy an additional PowerServer License?

I'm asking that because I always thought that PowerBuilder would support cloud deployment without dependency to PowerServer...



Finally hope to hear more information about mobile development in upcoming Elevate...



Andreas.
  1. Helpful
  1. Armeen Mazda @Appeon
  2. Friday, 25 September 2020 14:31 PM UTC
Hi Andreas,

Beta version of PowerServer 2021 should be available around January 2021 and final release in Q2 2021.

The prices are not finalized until the product is released, but if you really need to know the price now for budgeting/planning purposes please email trial@appeon.com and request a quote.

Yes, PowerServer 2021 will require PowerBuilder 2021 to deploy.

PowerBuilder CloudPro includes development license of PowerServer but production licenses sold separately. There are two ways to convert PowerBuilder apps to the cloud using PowerBuilder CloudPro. One is to use PowerServer and it does all the work for you. The other option is use the PowerScript Migrator to convert your DataWindows and business logic to C# REST APIs and call that from your PowerBuilder app (using the new PowerClient). The second way doesn't require PowerServer but it is much more work.
  1. Helpful
There are no comments made yet.
Andreas Mykonios Accepted Answer Pending Moderation
  1. Friday, 25 September 2020 11:34 AM UTC
  2. PowerBuilder
  3. # 4

Hi.

One thing that may work is to modify those values just after connecting to the database. That way this information will be located to the heap as you say, but real values will be available for a very short time.

But there may be side effects. Example, I don't know if it will work with datawindow's settrans() method. And of course, if you have connect commands to many places, this could be hard...

Also you must be sure that you don't check those values somewhere else in you code.

Haven't tested. Just a thought.

But the best solution I can think would be to create a custom transaction object and instantiate it in the application script. Of course this can require lot of effort...

Andreas.

Comment
There are no comments made yet.
  • Page :
  • 1


There are no replies made for this question yet.
However, you are not allowed to reply to this question.